Introducing FIDO U2F v1.2: Changes Overview

Yuriy Ackermann, Sr. Certification Engineer, FIDO Alliance

The FIDO Alliance is pleased to announce the release of the FIDO U2F version 1.2 specification. This update has been published as a “Proposed Standard” and comes after several months of work by FIDO members. The changes include:

Improvements to JavaScript and MessagePort APIs

U2F metadata statement support

Attestation Certificate X.509 Transport extension added

Silent-authentication mode added

Various fixes and editorial updates

Silent authenticator support is the highlight feature of this update. It is particularly useful to FIDO-based federated solutions that need silent mode for “bearer token” like authentication modes. The major advantage of FIDO-based solutions is that key material cannot be compromised. Since FIDO protocols are based on digital signatures, and the private key is stored generally in secure enclaves, federated identity schemes can use the authenticator as an unrecoverable bearer token, and not worry about cross-site scripting (XSS) and malware on the client side.

With added support for Metadata Statements, vendors now can register FIDO U2F authenticators with a metadata service. This is particularly useful for service providers who would want to restrict the types of the authenticators they accept. For example, a service provider may only allow FIDO Certified authenticators, or it may be required by regulation to only accept government-approved authenticators supporting particular protocols or certifications, such as FIPS, CSPN, AFSCM and others.

Another interesting feature is FIDO U2F X.509 Transport Extension. This gives service providers a better picture of the types of authenticators the user has, which helps improve the user experience.